World Bank Group: Important Steps Taken on Internal Control but  
Additional Assessments Should Be Made (16-JUN-03, GAO-03-366).	 
                                                                 
The Congress passed Public Law 106-429 because it was concerned  
about the sufficiency of external audits of the financial	 
operations of the World Bank Group, a set of multilateral	 
development banks. This law provides that GAO report on the	 
sufficiency of such audits of each Bank Group entity. GAO	 
addressed (1) the extent that the external auditor was providing 
assurance on internal control over financial reporting, 	 
operations, and compliance with key provisions of bank charters  
and policies in conjunction with financial statement audits and  
(2) the role the Bank Group's audit committee plays in providing 
oversight of external financial statement audits and internal	 
control.							 
-------------------------Indexing Terms------------------------- 
REPORTNUM:   GAO-03-366 					        
    ACCNO:   A07163						        
  TITLE:     World Bank Group: Important Steps Taken on Internal      
Control but Additional Assessments Should Be Made		 
     DATE:   06/16/2003 
  SUBJECT:   Bank management					 
	     Internal controls					 
	     Audit oversight					 
	     Financial statement audits 			 

******************************************************************
** This file contains an ASCII representation of the text of a  **
** GAO Product.                                                 **
**                                                              **
** No attempt has been made to display graphic images, although **
** figure captions are reproduced.  Tables are included, but    **
** may not resemble those in the printed version.               **
**                                                              **
** Please see the PDF (Portable Document Format) file, when     **
** available, for a complete electronic file of the printed     **
** document's contents.                                         **
**                                                              **
******************************************************************
GAO-03-366

                                       A

Report to Congressional Committees

June 2003 WORLD BANK GROUP Important Steps Taken on Internal Control but
Additional Assessments Should Be Made

GAO- 03- 366

Letter 1 Results in Brief 3 Scope and Methodology 5 Background 7 Bank
Group Has Taken Important Steps on Internal Control but

Reporting Could Be Expanded 13 Bank Group Has Established an Audit
Committee That Provides

Oversight of Financial Reporting and Internal Control 20 Conclusions 22
Recommendations for Executive Action 22 Agency Comments and Our Evaluation
23

Appendixes

Appendix I: Components of Internal Control under COSO 28

Appendix II: Transparency International*s 2002 Corruption Perception Index
30

Appendix III: Comments from the World Bank Group 33

Appendix IV: Comments from the Department of the Treasury 36 Tables Table
1: Bank Group*s Development Assistance and New Projects

in 2002 9 Table 2: U. S. Resources Provided to the Bank Group through

June 30, 2002 10 Table 3: Bank Group Entities* Bases of Accounting and
Auditing

Standards 11 Table 4: World Bank Units Responsible for Internal Control
and

Oversight of Operations 17 Table 5: Audit Committee Responsibilities 20

Figures Figure 1: Bank Group*s Components and Functions 8 Figure 2: Bank
Group*s Flow of Government Funding and External

Audit Reporting 12 Figure 3: Categories of Internal Control 15 Figure 4:
Countries Included in Transparency International*s 2002

CPI 32

Abbreviations

COSO Committee of Sponsoring Organizations of the Treadway Commission CPI
Corruption Perception Index IAS International Accounting Standards IBRD
International Bank for Reconstruction and Development IDA International
Development Association IFC International Finance Corporation ISA
International Standards on Auditing MDB Multilateral Development Bank MIGA
Multilateral Investment Guarantee Agency U. S. GAAP U. S. generally
accepted accounting principles U. S. GAAS U. S. generally accepted
auditing standards

This is a work of the U. S. Government and is not subject to copyright
protection in the United States. It may be reproduced and distributed in
its entirety without further permission from GAO. It may contain
copyrighted graphics, images or other materials. Permission from the
copyright holder may be necessary should you wish to reproduce copyrighted
materials separately from GAO*s product.

June 16, 2003 Let er t Congressional Committees

Multilateral Development Banks (MDBs) were established to provide
financial support for projects and programs designed to promote social and
economic progress in developing countries throughout the world. In fiscal
year 2002, the United States provided approximately $1.3 billion to
support the missions of the MDBs, with about $820 million going to the
World Bank Group (Bank Group) and about $460 million going to regional
MDBs. 1 As a group, the MDBs are the largest source of development aid for
middle- and low- income countries.

Section 803( a) of the Foreign Operations, Export Financing, and Related
Programs Appropriations Act, 2001 (Public Law 106- 429) provides that GAO
report annually on the sufficiency of audits of the financial operations
of each MDB conducted by the persons or entities outside the bank. This is
the third in a series of reports in response to Public Law 106- 429*s
reporting requirement. 2 As agreed with your offices, this report covers
the following MDBs, which are all part of the World Bank Group: 3

 International Bank for Reconstruction and Development,  International
Development Association,  International Finance Corporation, and 
Multilateral Investment Guarantee Agency.

1 Foreign Operations, Export Financing, and Related Programs
Appropriations Act, 2002 (Public Law 107- 115), which states that these
funds are available to the MDBs until expended.

2 The first in this series was Multilateral Development Banks: Profiles of
Selected Multilateral Development Banks (GAO- 01- 665, May 18, 2001) and
the second was Regional Multilateral Development Banks: External Audit
Reporting Could Be Expanded (GAO- 02- 27, December 14, 2001).

3 The Bank Group actually consists of five closely associated institutions
but one of them* the International Centre for Settlement of Investment
Disputes* is not within the scope of our work required by Public Law 106-
429.

The International Bank for Reconstruction and Development and the
International Development Association, which accounted for 80 percent of
the development assistance the Bank Group provided to developing countries
in 2002, are referred to as the *World Bank.* Financial statement audits
and the related assurance on internal control provided by the external
auditor are important for the Bank Group entities because they  have
missions that emphasize distributing funds for development and

accountability for the use of those funds;  operate in countries where
transparency and accountability are ranked

among the lowest in the world; and  are multilateral entities not subject
to oversight by any single national

government. Because borrowing countries often lack the transparency and
accountability needed to prevent and detect corruption, the Bank Group
entities that provide loans risk having the funds used for purposes other
than those intended. The United States and other donors have indicated
that they are concerned about these risks. Donors want to be assured that
the funds they provide are used only for the intended purpose, and the
Bank Group*s lending entities need to assure donors that the standard of
care over those funds meets donor expectations. Representatives from the

United States and the European Union 4 have recently stated that they plan
to increase contributions to the world*s poorest countries if they have
assurance that the funds they are providing are used as intended in
developing countries and have measurable results.

As agreed with your offices, this report addresses the following two
specific areas related to the World Bank Group*s external financial
statement audit process:

4 The European Union consists of the following countries: Austria,
Belgium, Denmark, Finland, France, Germany, Greece, Ireland, Italy,
Luxembourg, the Netherlands, Portugal, Spain, Sweden, and the United
Kingdom.

1. the extent to which the Bank Group entities are obtaining assurance
from their external auditor on internal control 5 over financial
reporting, operations, and compliance with key provisions of their
charters and policies in conjunction with their financial statement audits
and

2. the role the Bank Group*s audit committee plays in providing oversight
of financial statement audits and internal control.

Results in Brief The Bank Group has taken important steps in strengthening
its assessment and reporting on internal control, such as (1) implementing
a structured internal control framework, (2) conducting the internal
control

assessments necessary to provide its external auditor with an assertion on
the effectiveness of the Bank Group*s internal control over external
financial reporting, and (3) contracting with its external auditor to
provide an opinion, in conjunction with the financial statement audit, on
whether management*s assertion on internal control over external financial
reporting is fairly stated. However, Bank Group management does not
include an assertion on internal control over operations and compliance
with key provisions of its bank charters and policies, and it has not
asked the external auditor to give an opinion on those internal controls.
Although the banks* charters do not specifically call for an assertion or
external review of internal control over operations and compliance, they
do state that the banks are to take the necessary measures to ensure that
the proceeds of any loan made, guaranteed, or participated in by them are
used

only for the purposes for which the loan was granted. The Bank Group*s
external financial statement audits do not, and are not intended to,
provide specific assurance about the internal control over the Bank
Group*s operations and whether the funds are spent for their intended
purposes. Given the inherent risks in the banks* activities, additional
assurance on these other categories of internal control* operations and
compliance* would provide an added level of assurance to the Bank Group
and its member countries that funds were used for their intended purposes.

5 Internal control comprises the plans, methods, and procedures used to
meet missions, goals, and objectives and, in doing so, supports
performance- based management. Internal control also serves as the first
line of defense in safeguarding assets and preventing and detecting errors
and fraud. In short, internal control, which is synonymous with management
control, helps program managers achieve desired results.

The Bank Group has established an audit committee that provides oversight
of financial statement audits and internal control. A major function of
this committee, a subgroup appointed by the board of executive directors
at the Bank Group entities, is to nominate an external auditor for
external audits and determine the scope of the auditor*s work and the
reports to be submitted by the auditor. The Bank Group*s audit committee
also has the external auditor provide an opinion, in conjunction with the
financial statement audit, on management*s assertion on the Bank Group*s
internal control over external financial reporting. The audit committee
has the authority, as part of determining the scope of the auditor*s work,
to expand the external audits to include the auditor giving opinions on
internal control over operations and compliance with bank charters and
provisions. Alternatively, the audit committee is also well- positioned to

assign an internal party or provide an external entity the task of
providing a thorough assessment of such controls. However, during our
review, we were told that the Bank Group does not yet have plans to
provide a comprehensive assessment of its controls. We recommend that the
Secretary of the Treasury* who is responsible for the federal government*s
interactions with the Bank Group entities*

instruct the U. S. Executive Director for the Bank Group to take the lead
in working with other executive directors in developing a policy requiring
these Bank Group entities to enhance the audit function and reporting of
their financial operations. This would entail conducting a comprehensive
evaluation of internal controls over operations and compliance to
determine whether such controls are in place and are functioning properly

to prevent misuse of funds and to ensure compliance with key provisions of
bank charters and policies. This group of executive directors would report
annually to the Board of Executive Directors, through the audit committee,
on the progress made. This evaluation could be carried out in any of
several ways, including through the internal audit function; by the
external auditor, in conjunction with the financial statement audit; by
another entity within

the Bank Group; or by an external party, such as a consultant. These Bank
Group entities should also provide the results of the assessment to member
countries annually. In its comments, the World Bank Group welcomed our
recommendation for a comprehensive assessment of internal controls over
operations and compliance with bank charters and policies but did not
comment on our recommendation that such evaluations be conducted annually.
The Bank Group stated that given the many reforms it has underway to
strengthen its control framework, an assessment of internal control over
operations and

compliance would be most useful if undertaken once the range of changes
over those controls is substantially in place. We agree that effective
timing for implementing our recommendation would coincide with the Bank
Group*s implementation of reforms. It added that such changes are expected
to be complete in about 18 to 24 months.

In its comments, the Department of the Treasury agreed with our
recommendation for a comprehensive evaluation of internal controls over
operations and compliance but not with our recommendation for annual
evaluations because it contends that the overall structure of internal
controls changes infrequently and usually only marginally. It suggests a
one

time comprehensive evaluation with periodic updates. We remain convinced
that the Bank Group should report annually on those controls given the
inherent risks in the Bank Group entities* lending activities.

Scope and Public Law 106- 429, Appendix A, Title VIII, identifies 10 MDBs
to be

Methodology included in the scope of our work. In prior work, we addressed
6 of the

MDBs listed in the law* the African Development Bank, African Development
Fund, Asian Development Bank, European Bank for Reconstruction and
Development, Inter- American Development Bank, and the Inter- American
Investment Corporation. As agreed with your offices, this report focuses
on the external financial statement audit and internal control reporting
process of the remaining four MDBs* which are all part of the Bank Group*
listed in the law:

 International Bank for Reconstruction and Development (IBRD), 
International Development Association (IDA),  International Finance
Corporation (IFC), and  Multilateral Investment Guarantee Agency (MIGA).
To meet our objectives, we met with Department of the Treasury officials

and a representative of the office of the U. S. Executive Director for the
Bank Group. We also

 reviewed the Bank Group entities* 2002 and 2001 audited financial
statements and the external auditors* opinions on the financial statements
and identified the accounting principles and auditing standards used,

 inquired of World Bank management and obtained information on the audit
committee, external audits, and the extent of the external auditor giving
opinions on internal control over financial reporting, operations, and
compliance matters,

 analyzed and compiled relevant financial information from the Bank Group
entities* annual reports and their audited financial statements,

 reviewed the banks* terms of reference to identify the scope of the
audit committee*s oversight and compared them to relevant guidance on
widely accepted internal control frameworks,

 reviewed widely accepted internal control frameworks, such as Internal
Control* Integrated Framework issued by the Committee of Sponsoring
Organizations of the Treadway Commission and Guidelines for Internal
Control Standards developed by the International Organization of Supreme
Audit Institutions, and

 discussed various options for reporting on internal control with
representatives from the international accounting firm responsible for the
financial statement audits of the Bank Group entities.

The Bank Group entities are multilateral, international entities that are
autonomous, and the United States, as an individual member country,
generally does not have audit authority over their operations. Thus, it
was not part of our scope to evaluate the components of the Bank Group
entities* internal control governance structure, nor did we evaluate the
quality of the external auditor*s work on their financial statement audits
and internal control examinations over external financial reporting.
Moreover, it was not part of our scope to determine whether the audit
committee members were independent of the Bank Group entities they served.

It was also not part of our scope to make any site visits to review any
Bank Group entities* projects or programs. In accordance with GAO*s
agreement with the Bank Group and the Department of the Treasury on this
assignment, our interaction with officials from the Bank Group was limited
to the designated representative from the office of the U. S. Executive
Director for the Bank Group. The articles of agreement establishing the
Bank Group entities require the United States to deal with those
organizations only through the Department of the Treasury. Therefore, we

used Treasury officials as a conduit for obtaining information to conduct
our work.

We conducted our work in Washington, D. C., from May 2002 through March
2003 in accordance with U. S. generally accepted government auditing
standards. In May 2003, we received comments from the World Bank Group and
the Department of the Treasury, which are reproduced in their entirety in
appendixes III and IV. In addition, the Bank Group also provided a number
of suggested technical changes to our report, which we incorporated as
appropriate. Background The Bank Group entities included in this report*
IBRD, IDA, IFC, and

MIGA* are multilateral, international entities with a mission to fight
poverty and improve the living standards of people in developing countries
throughout the world by providing development assistance in the form of
loans, equity investments, loan and equity guarantees, and technical
assistance. National governments are the shareholders* referred to as
members* of the Bank Group. These members include developing countries 6
that borrow from the Bank Group as well as industrialized member
countries. All members, including borrowing members, contribute to the
capital of the Bank Group and participate in oversight and in setting
operating policies through their participation on the boards of governors
and executive boards. See figure 1 for a summary of the components of the
Bank Group and their functions.

6 Member countries that borrow from the Bank Group are generally low- and
middle- income countries in need of social or economic development.

Figure 1: Bank Group*s Components and Functions

The International Bank for Reconstruction

The International Development Association and Development aims to reduce
poverty in serves as a concessional lending arm and middle- income and
creditworthy poorer

promotes economic development by providing countries by promoting
sustainable

annual interest- free credits to the world*s development through loans,
guarantees, and

poorest borrowers. nonlending advisory services.

The International Finance Corporation works The Multilateral Investment
Guarantee

with business partners in the private sector and

Agency helps encourage foreign investment in invests in sustainable
private enterprises in

developing countries by providing guarantees developing countries and
provides long- term

to foreign investors and provides technical loans, guarantees, and risk
management and

assistance to help countries disseminate advisory services.

information on investment opportunities. Source: Bank Group entities* 2002
annual reports.

The lending activities of the Bank Group can be grouped primarily into the
following two types: market- based lending primarily done by IBRD and
concessional lending primarily done by IDA. 7 IBRD provides loans with
market- based rates that are financed primarily through borrowings from
world capital markets, members* paid- in capital, and retained earnings.
Members also provide support through subscriptions of callable capital. 8
Because of the significant proportion of callable capital that is
subscribed

by members with strong credit ratings, including the United States, IBRD
is able to use callable capital as backing to obtain more favorable
financing terms when borrowing from world capital markets than would
otherwise be available. To date, IBRD has never made a call on this
capital.

IDA provides concessional loans to the poorest of the developing
countries* those meeting certain eligibility requirements* and is financed
through contributions from member countries and borrower repayments of
outstanding loans. These loans are called *concessional* because they are
provided with below- market interest rates and extended repayment terms.

7 IBRD and IDA are separate entities, but the term *World Bank* is
commonly used to refer to them as one. 8 Callable capital is a form of
capital that is subscribed by members and resembles promissory notes from
members to honor Bank Group debts if the Bank Group cannot meet its
obligations through other available resources.

Due to the nature of concessional lending and the credit risks 9 of
borrower countries, the concessional lending arms do not have callable
capital subscriptions and do not borrow from world capital markets to
finance their operations. Unlike IBRD, which borrows from world capital
markets to fund lending, IDA relies on capital replenishments or periodic
contributions by members in addition to repayments from loans and
transfers of net income from IBRD. As of June 30, 2002, the Bank Group had
outstanding loans of about $230 billion, and concessional loans
constituted 42 percent, or about $96 billion, of that total. In 2002, the
Bank Group entities approved about $24.4 billion of

development assistance consisting of loans, loan guarantees, and equity
investments for 466 new economic and social development operations and
projects. Loans with market- based interest rates, equity investments, and
loan guarantees accounted for about $16.3 billion of the total financial
support provided by the Bank Group during 2002, while concessional lending
amounted to about $8.1 billion. See table 1 for a summary of development
assistance in 2002 and number of new projects, by Bank Group entity.

Table 1: Bank Group*s Development Assistance and New Projects in 2002

Dollars in millions

Development New Bank Group entity assistance projects

International Bank for Reconstruction and Development $11, 500 96
International Development Association 8, 100 133 International Finance
Corporation 3, 600 204 Multilateral Investment Guarantee Agency 1, 200 33

Total $24, 400 466

Source: The World Bank Annual Report, 2002.

The Bank Group entities* activities are overseen through a board of
governors, with a governor from each member country. In general, a board
of governors is responsible for admitting new members, authorizing
agreements for cooperation with other international organizations,

9 Credit risk refers to the risk of default by a borrower or guarantor
that may result from nonperformance under the terms of lending agreements.

deciding about the board of executive directors, approving the Bank Group
entities* financial statements, determining the reserves and the
distribution of profits, and deciding the scope of operations. Each Bank
Group entity also has a board of executive directors, which is responsible
for, among other things, overseeing the banks* daily operations, ensuring
the implementation of the decisions of the board of governors, and
approving

the budgets of the banks. The Bank Group entities* own management and
staff of international civil servants carry out the daily operations.

The United States is a member in all the Bank Group entities discussed in
this report, contributing significant amounts to support their missions
and subscribing to a significant amount of their callable capital. The
Congress appropriates funds for U. S. contributions and capital
subscriptions to the Bank Group. In fiscal year 2002, the Congress
appropriated about $800 million in U. S. contributions and approved about
$20 million of new subscriptions to callable capital for the Bank Group.
The Department of the Treasury oversees U. S. interests in the Bank Group.
See table 2 for a summary of U. S. support of about $58.7 billion provided
to the components of the Bank Group entities from their inception through
June 30, 2002.

Table 2: U. S. Resources Provided to the Bank Group through June 30, 2002

Dollars in millions

U. S. paid- in capital or

U. S. callable Bank Group entity

contributions capital

International Bank for Reconstruction and $1, 998 $29, 966 Development
International Development Association 25, 842 International

Finance Corporation 569 Multilateral Investment Guarantee Agency 63 266

Total $28, 472 $30, 232

Source: Bank Group entities* 2002 annual reports. The Bank Group entities
prepare their financial statements to comply with different bases of
accounting. They present their financial statements using U. S. generally
accepted accounting principles (U. S. GAAP), international accounting
standards (IAS), and special purpose basis of accounting, as shown in
table 3. According to the Bank Group, due to the special nature and
organization of the IDA, the concessional lending arm of the Bank

Group, it prepares special purpose financial statements that are meant to
show the sources and uses of resources to comply with its articles of
agreement. 10 Table 3: Bank Group Entities* Bases of Accounting and
Auditing Standards

Accounting standards used to prepare financial Auditing standards used
Bank Group entity

statements to perform audit work

International Bank for U. S. GAAP and IAS U. S. Generally Accepted
Reconstruction and Auditing Standards (U. S.

Development GAAS) and International

Standards on Auditing (ISA) International Development

Special Purpose Basis of U. S. GAAS and ISA Association Accounting
International Finance

U. S. GAAP U. S. GAAS Corporation Multilateral Investment

U. S. GAAP and IAS U. S. GAAS and ISA Guarantee Agency Source: Bank Group
entities* 2002 annual reports. The Bank Group*s external auditor has
audited the annual financial

statements of all the entities of the Bank Group. Each entity has received
an unqualified or *clean* audit opinion on its financial statements for
the 3 most recent years. The Bank Group*s external financial statement
audits, performed by an international accounting firm, provide assurance
over its

reported financial position at a particular time and the financial results
of its operations and cash flows for a given fiscal year. However, the
Bank Group*s external financial statement audits do not, and are not
intended to, provide specific assurance about the internal control over
the Bank Group*s operations and whether the funds are spent for their
intended purposes. Figure 2 shows the relationship between the Bank
Group*s flow

of government funding and its external audit and reporting. 10 Article VI,
Section 11( a) of the Articles of Agreement of IDA.

Figure 2: Bank Group*s Flow of Government Funding and External Audit
Reporting

Member governments

$ Bank Group External audit process

$ Normally disbursements to borrowers/ end users below this line are in
the hands of member governments, private contractors, or both. These
disbursements are not specifically covered

by the Bank Group's financial statement audit processes. Audits

Infrastructure Technical Education

performed assistance Projects

by member and

government programs

or private in member

sector Agriculture

Health countries auditors

Management makes an assertion and external auditor gives an opinion only
on internal control over external financial reporting in conjunction with
the financial statement audit.

Source: GAO analysis based on review of Bank Group documents and
discussions with representatives of the international financial and audit
communities.

The Bank Group*s external auditor performs its audits based on U. S. GAAS
and ISA. These standards require the independent auditor to obtain a
sufficient understanding of internal control to plan the audit and
determine the nature, timing, and extent of tests to be performed. As part
of the audits of the Bank Group entities, the auditor communicates to the
audit committee any internal control material weaknesses and reportable
conditions that were noted during the course of the audit. As is common
practice, the auditor issues a written document known as a management

letter to communicate these weaknesses. The management letter addresses
issues detected as part of the financial statement audit work and

it is not meant to be a comprehensive examination of the sufficiency of
the Bank Group*s internal control. 11 Bank Group Has Taken Management of
the Bank Group entities has acknowledged the importance Important Steps on

of internal control and has (1) implemented a structured internal control
framework, (2) conducted the internal control assessments necessary to
Internal Control but

provide its external auditor with a formal assertion on the effectiveness
of Reporting Could Be the Bank Group*s internal control over external
financial reporting, and

Expanded (3) contracted with its external auditor to provide an opinion,
in conjunction with the financial statement audits, on whether
managements* assertions on internal control over external financial
reporting are fairly stated.

For fiscal year 2002, the four Bank Group entities included in their
annual reports both management*s assertion that it met the Committee of
Sponsoring Organizations of the Treadway Commission (COSO) 12 criteria on
internal control over external financial reporting as of June 30, 2002,
and the external auditor*s opinion that management*s assertion on internal
control over external financial reporting was fairly stated. However, Bank
Group management does not include in its assertion internal control over

operations and compliance with key provisions of bank charters and
policies, and it has not asked the external auditor to give opinions on
those internal controls.

Although the banks* charters do not specifically call for a management
assertion or an external auditor opinion on internal control over
operations and compliance, they do state that the banks are to take the
necessary measures to ensure that the proceeds of any loan made,
guaranteed, or

11 Private sector standards and guidance for financial statement audits do
not require the auditor to provide an opinion on the effectiveness of
internal control when performing a financial statement audit. Financial
statement audits are not intended to provide a basis for the evaluation of
the overall quality of the entity*s system of internal control. Therefore,
in a typical financial statement audit, many controls designed to ensure
the reliability of financial reporting, effectiveness and efficiency of
operations, and compliance with key provisions of bank charters may not be
tested.

12 COSO provides a framework designed to assist management in assessing
its internal control system against an established standard to help
identify basic weaknesses in operations, financial reporting, and legal/
regulatory compliance controls and act to strengthen them. See appendix I
for a description of the five components of internal control under the
COSO framework.

participated in by them are used only for the purposes for which the loan
was granted. Given the inherent risks in the banks* activities, further
assurance on these additional categories of internal control* operations
and compliance* would provide an added level of assurance to the Bank
Group and its member countries that funds were used for their intended
purposes. Bank Group Has Engaged

The Bank Group entities have acknowledged the importance of internal an
External Auditor to

control and have taken an important step in obtaining audit assurance over
Provide Opinions on

internal control: They have engaged their external auditor to provide an
Internal Control over

opinion on management*s assertions on internal control over external
financial reporting and have included those results in their 2002 annual
Financial Reporting

reports. This public reporting of the external auditor*s opinions on
management*s assertions provides a level of assurance on the Bank Group*s
ability to record, process, summarize and report financial data consistent
with the assertions in the financial statements as well as a level of
transparency to member countries and others outside the Bank Group.

The Bank Group* specifically through the controllers* departments 13 *has
also taken steps internally to strengthen internal control. The World
Bank, beginning in 1995, adopted the internal control standards of COSO.
The Bank Group adopted the COSO framework to establish a common definition
of internal control and provide a standard that managers and auditors can
use to assess and measure progress in improving internal control. Entities
and their internal control needs differ dramatically by line of business
and size, and by culture and management philosophy. COSO provides a
framework for implementing a system of internal control, but the specific
internal controls put in place and monitored by management depend on the
type of operations to be managed and the associated risks. See appendix I
for a description of the five components of internal control under the
COSO framework. Under the COSO framework, the effectiveness of internal
control is

measured by an organization*s capacity to provide reasonable assurance in
the following three categories.

13 The controllers* departments within IBRD, IDA, IFC, and MIGA oversee
the internal control framework and focus on financial integrity and
control, financial reporting, and monitoring.

 Reliability of financial reporting: Financial reporting controls relate
to an entity*s ability to prepare reliable financial statements. 
Effectiveness and efficiency of operations: Operations controls address

the entity*s basic business objectives, including performance goals and
the safeguarding of resources.

 Compliance with applicable laws and regulations: Compliance controls
deal with the entity complying with those laws and regulations to which
the entity is subject.

As shown in figure 3, under COSO, an organization is responsible for the
effectiveness of three categories of internal control.

Figure 3: Categories of Internal Control

Financial reporting

Internal control Categories of internal control

Operations Compliance Source: GAO analysis based on information from COSO.

Internal controls often serve to accomplish more than one objective.
Frequently, internal controls established primarily for operations or
compliance objectives may also accomplish financial reporting objectives.
Internal controls directed at operations and compliance also may deal with

events, transactions, or other occurrences that must be reported in the
financial statements. Internal control is not one event, but a series of
actions and activities occurring throughout an entity*s operations and on
an ongoing basis. As entities strive to improve operational processes,
management should continually assess and evaluate its internal control.
Monitoring* a process that assesses the quality of an internal control

system*s performance over time* is an essential element of internal
control and is particularly relevant for carrying out the fiduciary
responsibilities that are integral to the Bank Group*s operations.

Although current financial statement auditing standards established in the
private sector do not require the auditor to report on internal control
and compliance when performing a financial statement audit, the auditor
can be engaged to provide a level of assurance* called an attestation* on
internal control over operations and compliance. 14 The Bank Group also
has other options for providing assurance over internal control over
operations and compliance. For example, the Bank Group could request a
comprehensive evaluation of its internal controls over these functions,
which could be conducted by its internal auditor, its external auditor, an
outside consultant, or by another unit within the Bank Group.

World Bank Units* In its anticorruption progress report 15 and operations
evaluation report, 16 Responsibilities for Internal the World Bank states
that many units provide internal control and

Control and Oversight of oversight over the use of World Bank funds in
lending operations, including

Operations those shown in table 4.

14 Attestation standards apply whenever the auditor has been engaged to
provide assurance or report on a subject matter that is the responsibility
of another party. Certain engagements, such as a financial statement
audit, are not subject to attestation standards.

15 World Bank, Helping Countries Combat Corruption: Progress at the World
Bank Since 1997 (Washington, D. C., June 2000). 16 World Bank Operations
Evaluation Department, 2002 Annual Report on Operations Evaluation
(Washington, D. C., 2002).

Table 4: World Bank Units Responsible for Internal Control and Oversight
of Operations

World Bank units Function

Internal Auditing Department Performs audits to assess the integrity of
the internal controls of business processes, including those associated
with the project cycle.

Operations Evaluation Department Assesses which projects and programs
work, and which do not; how a borrower plans to operate and maintain a
project; and the lasting contribution to a country*s overall development.

Inspection Panel Receives and investigates claims from projectaffected
people alleging that they have been harmed by the World Bank*s violations
of its own policies and procedures.

Quality Assurance Group Conducts real time assessments of the quality of
the project portfolio, including supervision, financial management, and
monitoring and evaluation.

Quality Assurance and Seeks to improve compliance with safeguard
Compliance Unit policies.

Loan Department Reviews and signs off on the financial management and
disbursement aspects of loan agreements.

Legal Department Drafts loan agreements; reviews and clears compliance
with legal aspects of World Bank policies; and reviews the adequacy of the
legal framework for project implementation.

Operations Policy and Country Provides advice and support on preparing and
Services implementing lending and nonlending operations and managing
portfolios, including oversight of the World Bank*s procurement and
financial management functions and guidelines that govern lending
relationships and conditions. Corporate Committee on Fraud Seeks to ensure
that anticorruption policies and and Corruption Policy implementation
strategies are designed and effective

to help the Bank Group achieve its poverty reduction goals. Department of
Institutional

Investigates allegations of fraud and corruption in Integrity World Bank
financed projects and allegations of staff

misconduct. Source: World Bank*s reports on anticorruption, 2000, and
operations, 2002.

The World Bank states that the above units have taken on new and broadened
functions for quality assurance and evaluation over the past several years
and have strengthened its ability to supervise the fiduciary aspects of
its loans and help borrowers* some perceived to have the worst

corruption problems in the world as shown in appendix II* strengthen

their own capacities. The above units are an important part of the World
Bank*s internal control over operations and compliance. Although it was
not part of our scope to evaluate the effectiveness of these units, or any
similar units in IFC and MIGA, they have the potential of providing the
basis for the Bank Group to offer further assurance and transparency on
its internal controls. For example, the Bank Group*s internal or external
auditor, or other group or entity, internal or external to the Bank Group,
could provide a comprehensive evaluation of the Bank Group*s control over
operations and compliance to determine whether they are working as
designed to ensure that funds are spent as intended. In 1995, the World
Bank established a 5- year timeline to ensure that, by the end of fiscal
year 2000, management would be able to express assurance that adequate
controls were in place, not only for financial reporting purposes, but
also for efficiency and effectiveness of operations. The World Bank has
not yet met that goal. During our review, we were told that the Bank Group
does not yet have plans to have a comprehensive assessment of these
controls.

Bank Group Could Benefit Because the Bank Group entities operate in a
difficult and risky control

from Additional Assurance environment, the member countries could benefit
from additional

on Internal Control over assurance over the Bank Group entities* internal
control over operations

Operations and Compliance and compliance with key provisions of their
charters. The Bank Group

operates in countries where transparency and accountability are often
lacking, and corruption* broadly defined as the abuse of public office for
private gain* sometimes flourishes. The Bank Group must satisfy its dual
mandate of providing development assistance in these environments and
exercising its fiduciary responsibility, including ensuring that
corruption is minimized in the projects it finances.

The World Bank acknowledged in an anticorruption progress report 17 that
corruption undermines public support for development assistance by
creating an erroneous perception that all assistance is affected by
corruption. In this report, the World Bank stated that it would make every
effort to prevent corruption in the projects and programs it finances in
borrower countries. The report also showed the control and oversight units
the World Bank established to improve the operational effectiveness of its
procurement and financial management practices. However, the Bank Group
has not taken steps to provide additional assurance and

17 See Helping Countries Combat Corruption.

transparency that its funds are being used as intended by requiring a
comprehensive assessment of controls over operations and compliance.

In addition, the World Bank in its report Clean Government and Public
Financial Accountability 18 acknowledged that borrower countries*
government and external auditors are unable to give the World Bank
sufficient assurance that World Bank funds were exclusively used for

intended purposes. Risks that Bank Group funds are used for purposes other
than those for which loans were granted* whether for concessional or
market- based loans* could be mitigated through effective implementation
and evaluation of internal controls over operations and compliance.

The Bank Group*s system of internal control, adopted under the COSO
framework, could facilitate a comprehensive assessment of internal
controls over operations and compliance designed to uncover any material
internal control weaknesses in operations and compliance that need to be
corrected. A comprehensive evaluation of these controls could also provide
additional credibility to the Bank Group*s (1) internal evaluation
reporting system and (2) commitment to provide funds only to those who

use the funds for intended purposes. Such an assessment would provide
additional assurance to both the Bank Group and its member countries over
the use of funds and could be accomplished in one of several ways: (1)
through the Bank Group*s internal audit function, (2) by the external
auditor, in conjunction with its financial statement audit, giving an
opinion

on whether management*s assertions on internal controls over operations
and compliance are fairly stated, (3) by another entity within the Bank
Group, or (4) by another external entity, such as a consultant.

Such an assessment would include identifying the specific elements of the
COSO criteria that are objective, measurable, and relevant to use in
assessing the reasonableness of internal control over operations and key
charter provisions to be included in a review of compliance controls and
to define what would constitute compliance with those key provisions of
bank charters. After these significant issues are addressed, Bank Group
management would be able to comprehensively document and assess the key
controls identified and subsequently provide its assertions on the
effectiveness of those controls.

18 World Bank Operations Evaluation Department, Clean Government and
Public Financial Accountability, OED Working Paper Series No. 17,
(Washington, D. C., Summer 2000).

Bank Group Has The Bank Group*s board of executive directors has appointed
an audit

Established an Audit committee to provide, on its behalf, oversight on
matters such as the

effectiveness of financial policies and reporting; various aspects of
Committee That

financial, business, operating, and reputational risks; and internal
control Provides Oversight of

in the Bank Group entities. 19 The Bank Group*s audit committee has a
Financial Reporting

purpose, scope, and operating principles congruent with those customarily
established for audit committees. A major function of the Bank Group*s

and Internal Control audit committee is to nominate an external auditor to
conduct audits of the

Bank Group*s financial statements and determine the scope of the auditors*
work and the reports to be submitted by the auditors. The information
provided by the Bank Group on the functions of its audit

committee indicated that the audit committee*s terms of reference included
responsibilities such as those listed in table 5.

Tabl e 5: Audi t Commi ttee Responsibilities Area Responsibility

Financial policies and reporting Reviewing financial policies and other
matters having a significant bearing on financial reporting including
policies on financial sustainability, credit risks, as well as the
integrity of financial reporting and risk management processes.

Independent external audit Submitting to the executive directors the
nomination of a firm of private independent internationally established
auditors to audit the Bank Group entities* financial statements; reviewing
with the external auditors the scope, design, and results of their
examinations; and discussing their opinion on the financial statements
prior to the release of the annual financial statements and inviting the
auditors* recommendations regarding internal control and other matters.

19 In addition to the audit committee, the Bank Group has a Multilateral
Audit Advisory Group that is tasked with advising the audit committee on
audit requests by Supreme Audit Institutions, such as GAO, assessing
compliance with the agreed terms of reference for the audit, assessing
adherence to the agreed ground rules, and providing objective comment on
the resulting audit reports.

(Continued From Previous Page)

Area Responsibility

Internal audit Overseeing and assessing the effectiveness of the Bank
Group entities* internal control and satisfying itself that the Bank Group
entities* internal audit is adequate, effective, and efficient.
Periodically reviewing the guidelines, work programs, and budget for the
office to

help ensure a strong and independent audit function. Risk management
Focusing primarily on financial and operational risks as it coordinates
with other board committees that exercise oversight of other risks and
consulting with various officers of the Bank Group.

Operating principles Advising the board on other issues relating to the
financial position, controls, and risk management environment, including
reviewing the Bank Group*s mechanisms for avoiding fraud. Source: Audit
Committee*s Terms of Reference.

Information provided to us by the Bank Group indicates that the Bank Group
entities* audit committee was actively involved with the external auditor
during its financial statement audits. Audit committee activities with the
external auditor included communications about internal control
recommendations, discussions on management*s COSO assertion on internal
control over external financial reporting, the external auditor*s

opinion on management*s assertion, and considerations on the external
auditor*s conclusions on the appropriateness of accounting principles. The
information also showed that the audit committee kept current with the
work of the internal auditor. The audit committee has a particularly
important role to play in assuring

fair presentation and appropriate accountability in connection with
financial reporting, internal control, compliance and related matters. An
effective audit committee facilitates the successful performance of the
board of executive directors* oversight responsibilities for financial
operations and is an independent safeguard on corporate management with
respect to its responsibilities for preparing financial statements and
implementing an internal control framework.

The Bank Group*s audit committee currently has the external auditor
provide an opinion on management*s assertion on the Bank Group*s internal
control over external financial reporting. The audit committee has

not asked the Bank Group entities* external auditor to provide assurance
on internal control over operations or compliance. The audit committee has
the authority, as part of determining the scope of the auditor*s work, to
expand and strengthen the Bank Group entities* internal control reporting

processes by requesting the external auditor to give an opinion on
internal control over operations and compliance matters once management
decides such reporting is appropriate. A key step in this process is for
management to first apply the scope of COSO to its controls over
operations and compliance and to develop the appropriate criteria to
assert on internal control over operations and compliance matters. The
audit committee

could then have the external auditor to provide an opinion on management*s
assertions over those controls using the criteria specified by management.
Alternatively, the audit committee could work with the internal and
external auditors, other entities within the Bank Group, or an external
party to conduct a comprehensive evaluation of internal controls over
operations and compliance to determine whether such controls are in place
and are functioning properly to prevent misuse of funds and to ensure

compliance with key provisions of bank charters and policies. Conclusions
The Bank Group has taken important steps in strengthening its assessment

and reporting on internal control by performing the internal control
assessments necessary to provide an assertion on internal control over
external financial reporting and having its external auditor give an
opinion on that assertion. At the same time, Bank Group management does
not include in its assertion internal control over operations and
compliance

with key charter provisions, and it has not asked the external auditor or
any other organization, internal or external, to provide a comprehensive
evaluation of its controls over these areas. The assurance that such an
assessment can provide through reporting on internal control over
operations and compliance is especially important given the operating
risks inherent in the Bank Group*s activities. The audit committee is
wellpositioned to assign an internal party or provide an external entity
the task of providing a thorough assessment of such controls. This
additional assurance would strengthen the Bank Group*s accountability and
enhance member country assurance that funds are spent as intended.
Recommendations for

We recommend that the Secretary of the Treasury instruct the U. S.
Executive Action

Executive Director of the Bank Group to take the lead in working with the
other executive directors in developing a policy requiring the Bank Group
entities to enhance the audit function and reporting of their financial
operations. This would entail (1) conducting a comprehensive evaluation

of internal controls over operations and compliance to determine whether
such controls are in place and are functioning properly to prevent misuse
of funds and to ensure compliance with key provisions of bank charters and
policies and (2) reporting annually to the board of executive directors
through the audit committee on the progress made. This evaluation could be
carried out in any of several ways, including through the internal audit
function; by the external auditor, in conjunction with the financial
statement audit; by another entity within the Bank Group; or by an
external party, such as a consultant. These Bank Group entities should
also provide the results of the assessment to member countries annually.

Agency Comments and We received written comments from the Office of the
President of the

Our Evaluation World Bank, which represented the official response of the
World Bank Group. We also received written comments from the Deputy
Assistant

Secretary for Multilateral Development Banks and Specialized Development
Institutions at the Department of the Treasury, the agency that represents
the United States at the World Bank Group. These comments are reprinted in
their entirety in appendixes III and IV.

In its comments, the World Bank Group welcomed our recommendation for a
comprehensive assessment of internal controls over operations and
compliance with bank charters and policies but did not comment on our
recommendation that such evaluations be conducted annually. The Bank Group
stated that given the many reforms it has underway to strengthen its
control framework, an assessment of internal control over operations and
compliance would be most useful if undertaken once the range of changes
over those controls is substantially in place. We agree that effective
timing for implementing our recommendation would coincide with the Bank
Group*s implementation of reforms. It added that such changes are expected
to be complete in about 18 to 24 months.

While Treasury also agreed with our recommendation for a comprehensive
evaluation of internal controls over operations and compliance, it did not
agree that the Bank Group should follow this initial assessment with
annual evaluations. It acknowledged that periodic updates would be
reasonable but characterized annual evaluations as excessive and
unnecessary based on its view that the overall structure of internal
controls changes infrequently and usually only marginally.

Given the inherent risks in the Bank Group entities* lending activities,
we remain convinced that the Bank Group should report annually on all
three

categories of internal control* financial reporting, operations, and
compliance. Under the COSO framework, effective internal control is an
essential aspect of managing shifting environments and evolving demands
and priorities. Internal control is not one event, but a series of actions
and activities occurring throughout an entity*s operations and on an
ongoing basis. As entities strive to improve operational processes,
management should continually assess and evaluate its internal control.
Monitoring* a process that assesses the quality of an internal control
system*s performance over time* is an essential element of internal
control and is

particularly relevant for carrying out the fiduciary responsibilities that
are integral to the Bank Group*s operations. Annual reporting on internal
control is now common practice both in the public and private sector and
is

often performed in conjunction with annual financial statement audits.
Treasury pointed out that our draft report documents the sufficiency of
the Bank Group*s current external audits. Although our report provides
information about the results of the external financial statement audits
at the Bank Group, our report also makes it clear that, by design, the
objective of a financial statement audit is not to provide assurance on
internal control. The current financial statement audits cover only the
banks*

financial position at a point in time and the financial results of
operations and cash flows for a given fiscal year. Given that the Bank
Group*s external auditor*s opinion on internal control extends only to
management*s assertions on the effectiveness of internal control over
external financial

reporting, many facets of internal control would not be covered. The scope
of the financial statement audits of the Bank Group entities and the
separate assessment of controls over external financial reporting are not
intended to and do not provide specific assurance about the effectiveness
of the internal control over operations and compliance with bank charters
and key policies.

Considering the Bank Group*s reforms to strengthen internal control over
operations and compliance, we emphasize the need for annual assessments of
those controls. As acknowledged in comments from the Bank Group, internal
control is a *dynamic process,* and reforms are under way in the

Bank Group to strengthen its control framework. As the Bank Group develops
and institutes these reforms, monitoring is needed to help ensure that
controls are functioning as intended in preventing misuse of funds and
ensuring compliance with key provisions of bank charters and policies.
Annual reporting to provide accountability and transparency over lending,
equity investment, and guarantee operations carries additional importance
for the Bank Group because the international organization*s mission

requires it, as stated in its comments, *to be active in countries where
controls are weak.* As acknowledged by the Bank Group, *monitoring
exposure against defined benchmarks* is one of several changes that will
provide the banks with *significantly improved controls over lending,
equity investment, and guarantee operations.* As stated in our

recommendations, the evaluation and reporting on internal control over
operations and compliance could be carried out in several ways, including
through the internal audit function; by the external auditor, in
conjunction with the financial statement audit; by another entity within
the Bank Group; or by an external party, such as a consultant.

We are sending copies of this report to the Secretary of the Treasury, the
president of the World Bank Group, and other interested parties. Copies
will be made available to others upon request. In addition, the report
will be available at no charge on the GAO Web site at http:// www. gao.
gov.

Please contact me at (202) 512- 9406 or by email at franzelj@ gao. gov if
you or your staffs have any questions concerning this report. Key
contributors to this report were Charles Norfleet, Meg Mills, and Maxine
Hattery.

Jeanette M. Franzel Director Financial Management and Assurance

Congressional Committees The Honorable Richard G. Lugar Chairman The
Honorable Joseph R. Biden, Jr. Ranking Minority Member Committee on
Foreign Relations United States Senate

The Honorable Ted Stevens Chairman The Honorable Robert C. Byrd Ranking
Minority Member Committee on Appropriations United States Senate

The Honorable Mitch McConnell Chairman The Honorable Patrick J. Leahy
Ranking Minority Member Subcommittee on Foreign Operations Committee on
Appropriations United States Senate

The Honorable Michael G. Oxley Chairman The Honorable Barney Frank Ranking
Minority Member

Committee on Financial Services House of Representatives

The Honorable Peter T. King Chairman The Honorable Carolyn B. Maloney
Ranking Minority Member Subcommittee on Domestic and International
Monetary

Policy, Trade and Technology Committee on Financial Services House of
Representatives

The Honorable C. W. Bill Young Chairman

The Honorable David Obey Ranking Minority Member Committee on
Appropriations House of Representatives

The Honorable Jim Kolbe Chairman The Honorable Nita M. Lowey Ranking
Minority Member Subcommittee for Foreign Operations, Export

Financing, and Related Programs Committee on Appropriations House of
Representatives

Appendi Appendi xes I x Components of Internal Control under COSO The
World Bank, beginning in 1995, adopted the Committee of Sponsoring
Organizations of the Treadway Commission (COSO) internal control
framework. Under the COSO framework, there are five interrelated
components of internal control that define the minimum level of quality
acceptable for internal control in an organization and provide the basis
against which internal control is to be evaluated. The five components are
used as the criteria to evaluate the strengths and weaknesses of the
internal controls and to identify actions that can be taken to improve
controls. All five components must be present and effective in order for
management to have reasonable assurance that risks are managed to ensure
the achievement of the organization*s objectives. At the Bank Group,

management is responsible for developing the detailed policies,
procedures, and practices to fit its organization*s operations and to
ensure that they are built into and are an integral part of its
operations. The five internal control components, which apply to all
aspects of an organization*s operations, including programmatic,
financial, and compliance, include the

following:

Control environment. The control environment reflects management*s
commitment and attitude to the implementation and maintenance of an
effective internal control structure. The control environment which
management promulgates through the organization will strongly influence
the design and operation of control policies and procedures. It will also
determine how effective they are in mitigating risks and achieving
objectives.

Risk assessment. All organizations, regardless of size or nature,
encounter some form of risk that can adversely impact the achievement of
its objectives. Assessing risk is a major component of an effective
control structure. It involves the identification, analysis, assessment,
and prioritization of risks that need to be treated by control activities.

Control activities. Control activities are the tailored policies and
procedures that ensure (1) the mitigation of risks, (2) irregularities are
prevented or detected and corrected, (3) assets are safeguarded from
unauthorized use or disposal, and (4) financial records and other relevant
databases are complete and accurately reflect the entire operational

activities of the organization, and assist in timely preparation of
accurate financial statements.

Information and communication. Information and communication are critical
for performance reporting, decision making, both within the organization
and externally, and the achievement of strategic objectives.

Monitoring. Monitoring is the final component of an effective internal
control structure and is closely linked to information and communication.
In addition to performance monitoring, the effectiveness of the control
structure itself also needs to be monitored and reviewed. Control
monitoring can be undertaken in two ways, by ongoing monitoring and by
separate reviews and evaluations.

Transparency International*s 2002 Corruption

Appendi I I x Perception Index Transparency International is an
organization dedicated to curbing both international and national
corruption. Transparency International launched its Corruption Perception
Index (CPI) in 1995. The CPI is a collection of polls, drawing on 15
surveys from 9 independent sources for its 2002 results. The goal of the
CPI is to provide data on extensive perceptions of corruption within
countries. The 2002 CPI shows that the Bank Group

entities function in environments that are perceived to have high levels
of corruption, underscoring the importance of internal control over
operations and compliance within the Bank Group entities that are
providing loans to those countries.

The CPI serves as an important indicator of the image a country conveys to
investors and potential business partners. Because the CPI is derived from
15 different surveys that garner the perceptions of both residents and
expatriates, both business people and risk analysts, the index provides a
snapshot of the views of the people who make key decisions on investment
and trade. The CPI builds public awareness of the corruption issue, and it
adds to pressure on governments to directly address the issue and the
damaged image of their nation that low rankings in the CPI reflect.

The CPI is a composite index that consists of credible sources using
diverse sampling frames and different methodologies, including one used by
the World Bank. The methodology is reviewed by a steering committee

consisting of leading international experts in the fields of corruption,
econometrics, and statistics. Members of the steering committee make
suggestions to improve the CPI, but the management of Transparency
International makes the final decisions on the methodology used. For the

2002 CPI, data was included from the following organizations* surveys and
documents:

 World Bank, World Business Environment Survey;  World Economic Forum,
Africa Competitiveness and Global

Competitiveness Reports;  Institute for Management Development, World
Competitiveness

Yearbook;  PricewaterhouseCoopers, Opacity Index;  Political & Economic
Risk Consultancy, Asian Intelligence Issue;

 Economist Intelligence Unit, Country Risk Service and Country Forecast;

 Freedom House, Nations in Transit;  Gallup International on behalf of
Transparency International, Bribe

Payers Index; and  Columbia University, State Capacity Survey. No country
was included in the CPI without results from a minimum of three surveys
undertaken over the past 3 years. For this reason, not all countries with
high levels of corruption may have been added. Figure 4 includes the
borrower countries by region.

Figure 4: Countries Included in Transparency International*s 2002 CPI
Africa

South Asia Other

Country CPI

Country CPI

Country CPI

Nigeria 1.6

Bangladesh 1.2

Greece 4.2

Angola 1.7

Pakistan 2.6

Italy 5.2

Madagascar 1.7

India 2.7

Tai wan 5.6

Kenya 1.9

Sri Lanka 3.7

France 6.3

Uganda 2.1

East Asia and Pacific

Portugal 6.3

Cameroon 2.2

Ireland 6.9

Zambia 2.6

Country CPI

Belgium 7.1

Cote d'Ivoire 2.7

Indonesia 1.9

Japan 7.1

Tanzania 2.7

Vietnam 2.4

Spain 7.1

Zimbabwe 2.7

Philippines 2.6

Germany 7.3

Malawi 2.9

Thailand 3.2

Israel 7.3

Senegal 3.1

China 3.5

USA 7.7

Ethiopia 3.5

Korea, Republic of 4.5

Austria 7.8

Ghana 3.9

Malaysia 4.9

Hong Kong 8.2

Mauritius 4.5

Europe and Central Asia

Norway 8.5

South Africa 4.8

Switzerland 8.5

Namibia 5.7

Country CPI

Austrailia 8.6

Botswana 6.4

Azerbaijan 2.0

United Kingdom 8.7

Middle East

Moldova 2.1

Canada 9.0

and North Africa

Kazakhstan 2.3

Luxembourg 9.0

Country CPI

Georgia 2.4

Netherlands 9.0

Egypt 3.4

Ukraine 2.4

Singapore 9.3

Morocco 3.7

Albania 2.5

Sweden 9.3

Jordan 4.5

Romania 2.6

Iceland 9.4

Tunisia 4.8

Russian Federation 2.7

Denmark 9.5

Latin America and the

Uzbekistan 2.9

New Zealand 9.5

Caribbean

Turkey 3.2

Finland 9.7

Czech Republic 3.7

Country CPI

Latvia 3.7

Paraguay 1.7

Slovak Republic 3.7

Bolivia 2.2

Croatia 3.8

Ecuador 2.2

Bulgaria 4.0

Haiti 2.2

Poland 4.0

Guatemala 2.5

Belarus 4.8

Nicaragua 2.5

Lithuania 4.8

Venezuela 2.5

Hungary 4.9

Honduras 2.7

Estonia 5.6

Argentina 2.8

Slovenia 6.0

Panama 3.0

El Salvador 3.4

Dominican Republic 3.5

Colombia 3.6

Corruption Perception Index (CPI)

Mexico 3.6

0 10

Brazil 4.0

Jamaica 4.0

Corrupt Transparent

Peru 4.0

Costa Rica 4.5

Trinidad and Tobago 4.9

Uruguay 5.1

Chile 7.5

Source: The World Bank's 2002 annual report and the countries' CPI score
from Transparency International.

Appendi I I I x Comments from the World Bank Group

Comments from the Department of the

Appendi V I x Treasury

(194069)

GAO*s Mission The General Accounting Office, the audit, evaluation and
investigative arm of Congress, exists to support Congress in meeting its
constitutional responsibilities

and to help improve the performance and accountability of the federal
government for the American people. GAO examines the use of public funds;
evaluates federal programs and policies; and provides analyses,
recommendations, and other assistance to help Congress make informed
oversight, policy, and funding decisions. GAO*s commitment to good
government is reflected in its core values of accountability, integrity,
and reliability.

Obtaining Copies of The fastest and easiest way to obtain copies of GAO
documents at no cost is

through the Internet. GAO*s Web site (www. gao. gov) contains abstracts
and fulltext GAO Reports and

files of current reports and testimony and an expanding archive of older
Testimony

products. The Web site features a search engine to help you locate
documents using key words and phrases. You can print these documents in
their entirety, including charts and other graphics.

Each day, GAO issues a list of newly released reports, testimony, and
correspondence. GAO posts this list, known as *Today*s Reports,* on its
Web site daily. The list contains links to the full- text document files.
To have GAO e- mail this

list to you every afternoon, go to www. gao. gov and select *Subscribe to
GAO Mailing Lists* under *Order GAO Products* heading.

Order by Mail or Phone The first copy of each printed report is free.
Additional copies are $2 each. A check or money order should be made out
to the Superintendent of Documents. GAO

also accepts VISA and Mastercard. Orders for 100 or more copies mailed to
a single address are discounted 25 percent. Orders should be sent to:

U. S. General Accounting Office 441 G Street NW, Room LM Washington, D. C.
20548

To order by Phone: Voice: (202) 512- 6000 TDD: (202) 512- 2537 Fax: (202)
512- 6061

To Report Fraud, Contact:

Waste, and Abuse in Web site: www. gao. gov/ fraudnet/ fraudnet. htm

E- mail: fraudnet@ gao. gov Federal Programs

Automated answering system: (800) 424- 5454 or (202) 512- 7470 Public
Affairs Jeff Nelligan, Managing Director, NelliganJ@ gao. gov (202) 512-
4800

U. S. General Accounting Office, 441 G Street NW, Room 7149 Washington, D.
C. 20548

a

GAO United States General Accounting Office

The Bank Group has taken important steps in strengthening its assessment
and reporting on internal control, including (1) implementing a structured
internal control framework, (2) conducting the internal control
assessments necessary to provide its external auditor with an assertion
about the effectiveness of the Bank Group*s internal control over external
financial reporting, and (3) contracting with its external auditor to
provide an opinion, in conjunction with the financial statement audit, on
whether management*s assertion on internal control over external financial
reporting is fairly stated. However, Bank Group management does not
include an assertion on internal

control over operations and compliance matters, and it has not asked the
external auditor to give an opinion on those internal controls. During our
review, we were told that the Bank Group does not yet have plans to
conduct a comprehensive assessment of those controls. The Bank Group*s
external financial statement audits do not, and are not intended to,
provide specific assurance about the internal control over the Bank
Group*s operations and whether the funds are spent for their intended
purposes. Given the inherent risks in the banks* activities, additional
assurance on these other categories of internal control* operations and
compliance* would provide an added level of assurance to the Bank Group
and its member countries that funds were used for their intended purposes.
The Bank Group has established an audit committee that provides oversight

of external financial statement audits and internal control. A major
function of the committee is to nominate an external auditor and determine
the scope of the auditor*s work and the reports to be submitted by the
auditor. The audit committee also has the external auditor give an
opinion, in conjunction with the financial statement audit, on
management*s assertion on the Bank Group*s internal control over external
financial reporting. The audit committee has the authority to expand the
external audits to include the auditor giving opinions on internal control
over operations and compliance matters. Alternatively, the audit committee
is also well- positioned to assign to an internal party or provide an
external party the task of providing a thorough assessment of such
controls.

Categories of Internal Control

The Congress passed Public Law 106- 429 because it was concerned about the
sufficiency of external audits of the financial operations of the World
Bank Group, a set of

multilateral development banks. This law provides that GAO report on the
sufficiency of such audits of each Bank Group entity. As agreed

with your offices, GAO addressed (1) the extent that the external auditor
was providing assurance on internal control over financial reporting,
operations, and compliance with key provisions of bank charters and
policies in conjunction with financial

statement audits and (2) the role the Bank Group*s audit committee plays
in providing oversight of external financial statement audits and internal
control. To provide greater assurance that the Bank Group*s funds are
spent

as intended, GAO is making recommendations for a comprehensive assessment
of internal control over operations and compliance matters and annual
evaluations of such controls. The Bank Group and the U. S. Treasury
Department agreed on the

need for a comprehensive assessment of those controls. Treasury did not
agree that annual evaluations should be done and the Bank Group, which has
reforms on those controls underway, made no

comment on timing. We continue to believe that such annual evaluations are
necessary.

www. gao. gov/ cgi- bin/ getrpt? GAO- 03- 366. To view the full report,
including the scope and methodology, click on the link above. For more
information, contact Jeanette Franzel at (202) 512- 9406 or franzelj@ gao.
gov. Highlights of GAO- 03- 366, a report to

Congressional Committees

June 2003

WORLD BANK GROUP

Important Steps Taken on Internal Control but Additional Assessments
Should Be Made

Page i GAO- 03- 366 World Bank Group

Contents

Contents

Page ii GAO- 03- 366 World Bank Group

Page 1 GAO- 03- 366 World Bank Group United States General Accounting
Office

Washington, D. C. 20548 Page 1 GAO- 03- 366 World Bank Group

A

Page 2 GAO- 03- 366 World Bank Group

Page 3 GAO- 03- 366 World Bank Group

Page 4 GAO- 03- 366 World Bank Group

Page 5 GAO- 03- 366 World Bank Group

Page 6 GAO- 03- 366 World Bank Group

Page 7 GAO- 03- 366 World Bank Group

Page 8 GAO- 03- 366 World Bank Group

Page 9 GAO- 03- 366 World Bank Group

Page 10 GAO- 03- 366 World Bank Group

Page 11 GAO- 03- 366 World Bank Group

Page 12 GAO- 03- 366 World Bank Group

Page 13 GAO- 03- 366 World Bank Group

Page 14 GAO- 03- 366 World Bank Group

Page 15 GAO- 03- 366 World Bank Group

Page 16 GAO- 03- 366 World Bank Group

Page 17 GAO- 03- 366 World Bank Group

Page 18 GAO- 03- 366 World Bank Group

Page 19 GAO- 03- 366 World Bank Group

Page 20 GAO- 03- 366 World Bank Group

Page 21 GAO- 03- 366 World Bank Group

Page 22 GAO- 03- 366 World Bank Group

Page 23 GAO- 03- 366 World Bank Group

Page 24 GAO- 03- 366 World Bank Group

Page 25 GAO- 03- 366 World Bank Group

Page 26 GAO- 03- 366 World Bank Group

Page 27 GAO- 03- 366 World Bank Group

Page 28 GAO- 03- 366 World Bank Group

Appendix I

Appendix I Components of Internal Control under COSO

Page 29 GAO- 03- 366 World Bank Group

Page 30 GAO- 03- 366 World Bank Group

Appendix II

Appendix II Transparency International*s 2002 Corruption Perception Index

Page 31 GAO- 03- 366 World Bank Group

Appendix II Transparency International*s 2002 Corruption Perception Index

Page 32 GAO- 03- 366 World Bank Group

Page 33 GAO- 03- 366 World Bank Group

Appendix III

Appendix III Comments from the World Bank Group

Page 34 GAO- 03- 366 World Bank Group

Appendix III Comments from the World Bank Group

Page 35 GAO- 03- 366 World Bank Group

Page 36 GAO- 03- 366 World Bank Group

Appendix IV

Appendix IV Comments from the Department of the Treasury

Page 37 GAO- 03- 366 World Bank Group

Appendix IV Comments from the Department of the Treasury

Page 38 GAO- 03- 366 World Bank Group

United States General Accounting Office Washington, D. C. 20548- 0001
Official Business Penalty for Private Use $300 Address Service Requested

Presorted Standard Postage & Fees Paid

GAO Permit No. GI00
*** End of document. ***